Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #42

May 29, 2009

NEWSBITES FLASH 11:15 AM Today. Washington, DC. The White House The East Room in the White House is awash in sunlight - amplified by the klieg lights of TV cameras. More than 100 people who have played a role in the 60 day review are joined by 50 reporters and camera people. - all awaiting the arrival of President Obama to deliver the results of the Cyberspace Policy Review. The mood is appropriately subdued, but the energy is very high. The President arrives. "A transformational moment," he says. "Cyberspace is real and so are the risks." "I know about the problem personally," he continues. "During the general election, hackers managed to penetrate our campaign computer networks. They got access to [my] emails and policy papers and travel plans."

The President then laid out the scope of the problem ("one of the most serious challenges we face as a nation and we are not as prepared as we need to be") and then introduced his new "Cyberspace Policy Review" that presents 24 key actions. Most of the actions are policy and strategy based and won't, in themselves have a huge impact, but two of them will make all the difference. (1) Naming a single official in the White House, called the Cyber Security Coordinator, with "regular access to me" to oversee cyber security across the government (this corrects the biggest error made in the previous Administration). (2) Using government procurement to improve market incentives for secure and resilient hardware (the $70 billion on annual federal IT spending is the single most powerful weapon the nation has to improve security.)

You'll read hundreds of articles on the 60 day review - but we wanted Newsbites readers to get a first look. The bottom line is that this was a huge success for people who care about improving cyber security in the US.
Alan

TOP OF THE NEWS

Merrick Bank has filed a lawsuit against Savvis, alleging negligence because the company certified CardSystems Solutions as compliant with Visa and MasterCard security requirements less than a year before the payment processor suffered a massive data security breach. Merrick claims that fraudulent transactions resulting from the breach cost it US $16 million in payments to the credit card companies for using a non-compliant processor, payments to banks affected by the breach and legal fees. Attackers were able to steal information on 40 million credit card accounts because CardSystems stored unencrypted card data on its servers. -http://www.finextra.com/fullstory.asp?id=20067-http://www.digitaltransactions.net/newsstory.cfm?newsid=2221[Editor's Note (Pescatore): Making this charge stick will require proving that the non-compliant condition existed at the time of the audit and should have been discovered with reasonable diligence. But it will be good to see some external attention focused on the PCI audit process. (Schultz): The issue concerning whether an organization is (but probably more importantly, *was* at the time of a data security breach) PCI-DSS compliant is becoming increasingly complex. If a bank, merchant, or other organization has passed a PCI-DSS audit, but then a security breach involving credit card information occurs sometime later, the PCI Consortium has increasingly suddenly declared the organization to be non-compliant. As good as they are, PCI-DSS standards do not require anything near perfect data security, and no audit is 100 percent comprehensive. Residual risk will always be present as long as systems are connected to any network. If PCI-DSS auditors are going to become legally liable for future data security breaches, the cost to perform these audits will, unfortunately, most likely skyrocket out of control. (Hoelzer): While the legal system is an important tool when it comes to forcing organizations to be responsible, this may mark a dangerous time for PCI. PCI/DSS isn't perfect but it's a pretty good start. If lawsuits continue to pile on, however, we could see energy start to build for the elimination of standards of this kind since they may appear to be leading toward greater liability rather than reduced liability. ]

Cyber Security Status Report Due Out Friday; President May Announce Cyber Czar Position (May 26, 2009)

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES

Phisher Sentenced to Eight-and-a-Half Years in Prison (May 27, 2009)

US District Court Judge John Tunheim has sentenced Sergiu D. Popa to eight-and-a-half years in prison for a phishing scheme in which he stole sensitive personal and financial information from thousands of people. Popa was originally from Romania but lived in Michigan when he committed the crime. Popa admitted that he used the stolen information to conduct approximately US $700,000 worth of fraudulent transactions between June 2000 and February 2007. -http://www.startribune.com/local/46231247.html?elr=KArksLckD8EQDUoaEyqyP4O:DW3ckUiD3aPc:_Yyc:aUUl[Editor's Note (Schmidt): As more of these criminals are caught and get serious jail time, I hope many more will get the message that "if you can't do the time, don't do the crime".]

Eighteen Percent of Computers at Interior Missing or Lost (May 28, 2009)

According to a report from the US Department of the Interior's inspector general (IG), the Department cannot account for the whereabouts of 18 percent of its computers. The vast majority of the missing computers, 450 out of a sample of 2,500, belonged to the Fish and Wildlife Service. Just two of the department's eight bureaus have kept good records of their computer inventories, according to the report, and disposal procedures for machines from bureau to bureau. In addition, the majority of department's PCs are not encrypted. -http://www.eweek.com/c/a/Security/Department-of-Interior-Computers-Missing-Report-Finds-443176/[Editor's Note (Skoudis): If you don't know where a computing asset is or whose control it is under, you cannot secure it. Building and maintaining an asset inventory is difficult work, to be sure, but it is vital. An effective inventory maps each system to an employee, a manager, and an asset owner. Let's learn a lesson from this story, and double check our own asset inventories to make sure they are being maintained. (Northcutt): It's 8 P.M. do you know where your computers are? Critical security control 1, quick win 1: "QW: Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to the enterprise network. Both active tools that scan through network address ranges, and passive tools that identify hosts based on analyzing their traffic should be employed." -http://www.sans.org/cag/control/1.php]

VULNERABILITIES

RIM Issues Advisory on PDF Vulnerability (May 28, 2009)

Research in Motion (RIM) has issued an advisory warning users that a vulnerability in the way BlackBerry servers handle malformed PDF files could be exploited to launch a code injection attack. For the attack to work, users would need to be tricked into opening an email message with a maliciously crafted PDF attachment. The flaw affects Blackberry Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 5.0 and Blackberry Professional Software 4.1 Service Pack 4 (4.1.4). While the company has issued an interim update for the vulnerability, RIM is encouraging customers to disable PDF processing on Blackberry servers until a more thorough fix is available. -http://www.theregister.co.uk/2009/05/28/blackberry_pdf_peril/-http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB18327[Editor's Note (Schultz): Once again, RIM deserves considerable credit for its candidness to users concerning vulnerabilities and solutions in its products. (Skoudis): RIM's BES servers have had several vulnerabilities associated with PDF parsing in the last year, with major vulnerability fixes released in July 2008, January 2009, and now. Perhaps RIM should really re-do the code architecture and implementation associated with PDF parsing in BES servers. ]

Aetna Notifies 65,000 Current and Former Employees of Data Breach (May 28, 2009)

Aetna has notified 65,000 current and former employees that their Social Security numbers (SSNs) and email addresses were compromised in a security breach. The job application website also contained email addresses of as many as 450,000 job applicants. Aetna became aware of the breach after people started complaining about phishing emails that appeared to come from the insurance company. The messages claimed they were related to job inquiries and asked the recipients for additional personal information. A computer forensics company is investigating how the breach was accomplished. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133621

MISCELLANEOUS

Authorities Searching For Man Who Tried to Steal US $9 Million From Former Employer (May 26, 2009)

State and federal officials are searching for a former California water utility employee who resigned late last month and hours later, gained physical access to the facility to transfer more than US $9 million from his former employer's bank account to accounts in Qatar. Abdirahman Ismail Abdi is believed to have fled to Canada after putting his wife and children on a plane to Frankfurt, Germany. Two of the wire transfers were blocked; funds from the third transfer are believed to be frozen. The incident illustrates the importance of implementing access controls. -http://www.theregister.co.uk/2009/05/26/utility_transfer_heist/

Correction:

In Tuesday's NewsBites (Volume 11, Number 41), we ran a story about a college student whose seized property was returned after a judge granted his request to quash a search warrant. The school was misidentified; the student attends Boston College, not Boston University. We apologize for any confusion this may have caused.

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/